Enhancements: Harden exec requests against SSRF

Created on 16 Jul 2020  路  16Comments  路  Source: kubernetes/enhancements

Enhancement Description

  • One-line enhancement description (can be used as a release note): Harden exec requests against SSRF by preventing command modification through URL parameters and GET requests.
  • Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/1898-hardened-exec
  • Primary contact (assignee): @tallclair
  • Responsible SIGs: sig-node, sig-api-machinery
  • Enhancement target (which target equals to which milestone):

    • Alpha release target: v1.20

    • Beta release target (x.y)

    • Stable release target (x.y)

Roadmap Summary:

  • [ ] v1.20

    • [ ] Update PodExecOptions with pod reference

    • [ ] Update Kubelet API (protected by DeprecatedKubeletStreamingAPI)

    • [ ] Remove the kubelet's /run and UID-specific endpoints

    • [ ] Require POST request for kubelet streaming endpoints

    • [ ] Require options in request body

    • [ ] Update kube-apiserver

    • [ ] Always use POST for streaming requests to Kubelet

    • [ ] Send options in request body (but also query params)

    • [ ] Require POST with request body for non-websocket exec requests, guarded by alpha HardenedExecRequests

    • [ ] Update clients to send exec POST requests with options in the body (and also in query params)

    • [ ] go client (+kubectl?)

    • ...

    • [ ] Expand E2E test coverage - https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/1898-hardened-exec#test-plan

siapi-machinery sinode stagalpha trackeno
Source
picture tallclair

Most helpful comment

Looks like this is not going to make the code freeze cutoff.

/milestone v1.21

picture tallclair on 5 Nov 2020
👍2

All 16 comments

/sig node
/sig api-machinery

For motivation, see https://github.com/kubernetes/kubernetes/issues/92914

tallclair picture tallclair on 16 Jul 2020

Hi @tallclair

Enhancements Lead here. Please update us once your KEP is up and please confirm that this is going to be alpha in 1.20.

Thanks!
Kirsten

kikisdeliveryservice picture kikisdeliveryservice on 14 Sep 2020

KEP is here: https://github.com/kubernetes/enhancements/pull/1899, expecting reviews next week.
Planning alpha implementation in v1.20, expecting KEP reviews next week.
/milestone v1.20

tallclair picture tallclair on 17 Sep 2020
👍1

Thanks! Added to tracking sheet. Also updated description above to add the KEP PR link. :+1:

kikisdeliveryservice picture kikisdeliveryservice on 18 Sep 2020

Also, as a reminder to be included in a release:

The KEP must be merged in an implementable state <-- yours is currently provisional, so don't forget to update this by enhancements freeze which is currently October 6th.
The KEP must have test plans
The KEP must have graduation criteria.

kikisdeliveryservice picture kikisdeliveryservice on 18 Sep 2020

Hi @tallclair

As a reminder October 6th is Enhancements Freeze. Thanks for the PR! It is missing graduation criteria for the current alpha milestone. Please update the KEP so that it can meet the required criteria and merge by next Tuesday.

Thanks!
Kirsten

kikisdeliveryservice picture kikisdeliveryservice on 3 Oct 2020

Double checked and the PR is now complete, so we're just waiting for it to get merged.

kikisdeliveryservice picture kikisdeliveryservice on 5 Oct 2020

Hey @tallclair!

Since your Enhancement is scheduled to be in 1.20, please keep in mind the important upcoming dates:
Friday, Nov 6th: Week 8 - Docs Placeholder PR deadline
Thursday, Nov 12th: Week 9 - Code Freeze

As a reminder, please link all of your k/k PR as well as docs PR to this issue so we can track them.

Thanks so much,

Kendall

kendallroden picture kendallroden on 12 Oct 2020
👍1

Hello @tallclair , 1.20 Docs shadow here.

Does this enhancement work planned for 1.20 require any new docs or modification to existing docs?

If so, please follows the steps here to open a PR against the dev-1.20 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Nov 6th.

Also take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

reylejano-rxm picture reylejano-rxm on 19 Oct 2020

I don't think this needs any docs beyond the release notes & auto-generated API reference.

tallclair picture tallclair on 27 Oct 2020

Hi @tallclair

Please keep in mind the important upcoming dates:

As a reminder, please link all of your k/k PR as well as docs PR to this issue for the release team to track.

annajung picture annajung on 2 Nov 2020

Hey @tallclair, I think I found at least one of the k/k PRs for this feature (#94115) - do you mind linking it to the issue for tracking?

Thanks,

Kendall

kendallroden picture kendallroden on 2 Nov 2020

@kendallroden That PR is unrelated to this feature. There aren't any PRs opened for this yet, since they're blocked by https://github.com/kubernetes/kubernetes/pull/95935. I'm hoping to get the PRs out today or tomorrow.

tallclair picture tallclair on 2 Nov 2020

Looks like this is not going to make the code freeze cutoff.

/milestone v1.21

tallclair picture tallclair on 5 Nov 2020
👍2

@tallclair May I join it? Maybe I can do some task on it.

JornShen picture JornShen on 12 Nov 2020

Unfortunately this slipped to v1.21, but I would greatly appreciate any help with getting it out next release! You can see my WIP PR here: https://github.com/kubernetes/kubernetes/pull/96188. It's totally broken at the moment, and I haven't had a chance to debug it yet. I think it has something to do with closing or not connecting the request bodies.

tallclair picture tallclair on 14 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

povsister picture povsister  路  5Comments
mitar picture mitar  路  8Comments
robscott picture robscott  路  11Comments
sparciii picture sparciii  路  13Comments
justaugustus picture justaugustus  路  3Comments